OpenAI hailed for ‘swift move’ in terminating Mixpanel ties after data breach hits developers
The Mixpanel breach prompted OpenAI to launch a review into its broader supplier ecosystem
OpenAI has admitted a security breach at a third-party supplier exposed customer emails, location information, and “limited analytics data related to some users of the API”.
The supplier, Mixpanel, provides data analytics services via OpenAI’s developer platform. OpenAI said the platform is used to help “understand product usage” and improve services for its API product, platform.openai.com.
On 9 November, Mixpanel discovered an attacker gained unauthorized access to systems. They then exfiltrated a dataset containing “limited customer identifiable information and analytics information”.
A full outline of data exposed, per an OpenAI statement on the breach, includes:
- Names provided via Mixpanel API accounts
- Email addresses associated with the API account
- “Aproximate course location based on API user browsers” (including city, state, and country)
- Information on operating systems and browsers used to access the API account
- Referring websites associated with the API account
OpenAI has been keen to stress that the breach only affects developers and not general ChatGPT users. It also said developer credentials – including passwords, payment information, and government IDs – weren’t exposed.
OpenAI added that it’s currently in the process of notifying those affected by the incident.
A swift response from OpenAI
Upon discovery of the breach, OpenAI said it removed Mixpanel from production services and began a review of affected datasets.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
While the investigation is still ongoing, the company noted it has so far found “no evidence of any effect on systems or data outside Mixpanel’s environment”.
The company has since terminated its use of the data analytics platform and said it will conduct a review of its broader supplier ecosystem.
“Trust, security, and privacy are foundational to our products, our organisation, and our mission, OpenAI said in a statement. “We also hold our partners and vendors accountable for the highest bar for security and privacy of their services.”
Jake Moore, global cybersecurity advisor at ESET, commended OpenAI for its “swift move” in alerting users and cutting ties with the supplier. Many organizations try to minimize security incidents and keep them “under the radar”, he said.
“Companies often fear the aftermath of an attack and presume it will be brand damaging,” Moore commented. “However, openness is now deemed far more important and speed is usually of the essence in making anyone affected aware of the situation.”
Developers warned to remain vigilant
OpenAI said information exposed in the breach could be used by hackers to carry out future attacks on users and encouraged them to “remain vigilant”.
These types of warnings are common in the wake of a data breach, according to Moore.
“Even though the exposed data was low-sensitivity, it could still be misused in the likes of social engineering techniques or via phishing attacks because attackers could combine the data such as name, email, even approximate location data to craft convincing fraudulent messages,” he explained.
“As within the wake of typical data compromises, those affected need to remain vigilant for suspicious emails or other strange communications.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Gartner says 40% of enterprises will experience ‘shadow AI’ breaches by 2030
- AI breaches aren’t just a scare story any more – they’re happening in real life
- Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposed

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.
He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.
For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.
-
Amazon OpenSearch update targets performance boosts and lower costsNews Surging data volumes have prompted an overhaul of Amazon’s OpenSearch service
-
Cyber experts say they've identified the first case of ‘agentic ransomware’News While the JadePuffer ransomware has alarm bells ringing, it still needed a human in the loop
-
With jobs on the line, CEOs now demand cyber attack recovery in hours, not days or weeksNews Recovery takes most organizations weeks or months, CEOs think it should be far quicker
-
OpenAI expands 'Daybreak' cyber program: New tools, partnerships, and a cyber-focused GPT-5.5 aim to help 'patch the world'News The company has added new tools, signed up partners, and released its GPT-5.5-Cyber model more widely
-
Hackers are capitalizing on AI hype to ramp up social engineering attacks – and they're using big brands like Anthropic, OpenAI, and DeepSeek as ‘bait’ to lure victimsNews Microsoft says cyber criminals are impersonating popular AI platforms to deliver malware
-
$600bn lost every year to downtime as organizations battle hidden costsNews Disclosure, stock prices, ransoms and fines add up to hundreds of billions as unplanned downtime for large firms shoots up 50% in just two years
-
Everything you need to know about ChatGPT’s new Advanced Account Security featuresNews OpenAI has introduced new tools to tightening up access to ChatGPT, Codex, and its other AI tools
-
OpenAI is cracking down on AI misuse with a new bug bounty programNews Submissions don't have to be security vulnerabilities, OpenAI says, just the potential to cause material harm
-
'The latest in a series of public sector data disasters': Cyber experts hit out at Companies House security fiascoNews The incident at Companies House underlines the need for more robust public sector security capabilities
-
A single compromised account gave hackers access to 1.2 million French banking recordsNews Ficoba has warned that “numerous” scams are already in circulation following the data breach